b' Department of Health and Human Servces\n         OFFICE OF\n    INSPECTOR GENERAL\n\n\n\n\nCONTROLS OVER AUTHORIZED AGENTS\n NATIONAL PRACTITIONER DATA BANK\n\n\n            MANAGEMENT ADVISORY REPORT\n\n\n\n\n              Vl=.\n\n                     Richard P. Kusserow\n                     INSPECTOR GENERA\n       "0\n\n\n\n             03a           AUGUST 1991\n\x0c Department of Health and Human Servces\n         OFFICE OF\n    INSPECTOR GENERAL\n\n\n\n\nCONTROLS OVER AUTHORIZED AGENTS\n NATIONAL PRACTITIONER DATA BANK\n\n\n             MANAGEMENT ADWSORY REPORT\n\n\n\n\n               v..\n                      Richard P. Kusserow\n                      INSPECTOR GENERA\n        "0\n\n\n\n             ~03a          OEI- 12-90-00530\n\x0c              EXECUTIVE SUMMAR Y\nPUROSE\nThe purpose of this management advisory report is to recommend that the Public\nHealth Servce (PHS) strengthen controls over authoried agents to assure t1\':t\ninformation provided by the National Practitioner Data Bank (Data Bank) is not\nmisused.\n\nBACKGROUN\nInformation maintained by the Data Bank is considered confdential and cannot be\ndisclosed outside the Department of Health and Human Servces as specifed in the\nData Bank regulations , 42 CPR 60.\n\nDuring planning for the Data Bank staff from the Bureau of Health Professions\nPHS , expressed concern to us regarding the confidentiality of the Data Bank\ninformation that was provided to " authoried agents. " Specifcally, there was concern\nthat the apparent growth of tlrs industry could lead to " authoried agents " that did\nnot always follow appropriate procedures or standards involving the handlig of Data\nBank information.\n\nFIINGS\nWe determined that controls- over   authorized agents are insuffcient. Procedural\n\nguidelines and forms relating to agents do not adequately address the issue of\nconfidentiaIIy.\n\nRECOMMATIONS\nWe recommended that PHS implement policies to assure that authorized agents are\nreputable and that such agents utile appropriate   security measures to assure the\nconfidentiality of Data Bank information. We also recommended that Data Bank\nforms be modified to describe the confidentiality requirement.\n\nCOMMENTS\n\nPHS concurred with most of the recommendations in our draft report. PHS did not\nagree to the recommendation that , if the agent is a company or organization , it must\nbe incorporated , licensed or otherwse legaIIy permitted to do business. Based on\nthe PHS response , we have modified our recommendation.\n\nBecause the PHS response to our recommendation that they modify the Data Bank\nresponse form is not clear, we are asking for clarification.\n\x0c                    .............................................\n               . . . . . . . . . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . .\n\n\n\n\n                     TABLE                                             CONTENTS\nEXECU SUMY\nINODUCTON. . .                                                                                                                    ........I\n\n  Purpose                                                                                                      ...............I\n\n  Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I\n\nFIINGS. .                                                                                                         . . . . . . . . . . . . . . 3\n\n\n\nRECOMMNDATIONS                                                                                                                            . . . . . . 5\n\n\n\nAPPENDIX A\n\x0c                          INTRODUCTION\n\nPUROSE\nThe purpose of tlrs management advisory repon IS to recommend that the Public\nHealth Servce (PHS) strengthen controls over authoried agents to assure that\ninformation provided by the Data Bank is not misused.\n\nBACKGROUN\nInformation maintained by the Data Ban is considered confdential and cannot be\ndisclosed outside the Department except as specifed in the Data Bank regulations\n42 CFR 60. According to Section 60. I3 " Personsor entities wlrch receive\ninformation from the Data Bank either directly or from another part    must use\nsolely with respect to the purpose for wlrch it was provided. " For each violation   of\nconfidentiality, civi money penalty of up to $10 000 can be levied.\n\nDuring planning for the Data Bank, staff form the Bureau of Health Professions\nPHS , expressed concern to us regarding the confdentiality of Data Bank information\nthat was provided to " authoried agents " who queried the Data Bank on behalf of\nhealth care entities. Specifcally, there was concern that the apparent growth of the\ncredential verification industry could lead to "authoried agents " that did not always\nfoIIow appropriate procedures or standards involvig the handling of Data Bank\ninformation.\n\nAuthori Agents\nSections 60. 10   and 60. 11 of the Data Bank regulations aIIow access to the Data Bank\nby certain persons or entities , or their authoried agents. According to the Data\nBank Guidebook , an authoried agent is " an individual or organization (e. g. county\nmedical society, State hospital association), which the health care entity or individual\ndesignates to request information from the Data Bank on its behalf.. " However\nsince the term " authorized agent" is not restricted by the Guidebook or defied in\nthe statute or regulation , it is possible that an authoried agent could be a credential\nverification business or individual engaged in activities completely unrelated to\ncredential verification.\n\nConcerns regarding the integrty of authorized agents were expressed in comments\nthat the PHS received in response to the March 21 , 1988 Notice of Proposed\nRulemaking (NPRM), National Practitioner Data Bank. These concerns were set\nforth in the October I7, I989 final regulation as foIIows:\n\x0c Numerous respondents questioned what information would be given in response to\nauthorized agents \' requests concerning physicians , d entists or other health care\npractitioners...The majority of the respondents expressed concern over verification of\nthe identity of individuals and entities who request information from the Data\nBank.. The Secretary shares these concerns about maintaining the confidentiality of\nthe information in the Data Bank and wi take measures to insure the proper\nrelease of this information. Since the Data Bank has not been established at this\ntime , it is impossible to detail the precise procedures wlrch wiII be used for the\nverification of the identity of the requesters. At the time of the operation of the\nData Bank, the Department intends to provide tlrs information to the public in the\nform of guidelines...\n\x0c                                        FINDINGS\nConlls Over             autri Agen       Ar   Ins\nThe only guidelines concerning the use of authoried            agents are found on page I5 of\nthe Data Bank Guin book, as follows:\n\n                   An entity or individual that is eligible to request inormation\n                  from the Data Bank, may, at its discretion , use an agent to\n                  represent it for purposes of requesting information.. Before an\n                   agent may submit request for inormation; the entity or\n                   individual must register the agent with the Data Bank at any\n                   time by wrting to the Data Bank...\n\n\nThe "registration" information required by the Guidebook for any authoried agent\nlimited to basic inormation relating to their name, address , telephone number\nauthorized signature and effective date of registration. Tls inormation is provided\nby letter to the Data Bank by the entity or individual who wiII be using the\nauthoried agent.\n\nThe registration procedure does not fuIIy address the concern over the identity of\nauthorized agents that was expressed by respondents to the Data Bank regulation.\nThe policy for "registration" does not assure that an authoried\' agent is responsible\nor reputable. While hospitals or other established entities may not warrant such\nconcern, the PHS wi have no assurances that an authoried agent , for which there\nis no restrictive definition , wil be accountable.\n\nIn addition , the current Data Bank forms do not address the issue of keeping\ninformation confdential. According to the Guidebook, when an entity, individual or\nauthoried agent requests inormation for the Data Ban it must use Offce of\nManagement and Budget (OMB) Form #09I5-0126, Request For Information\nDisclosure. This form contains a certification , s follows:\n\n                     I certify that the requesting entity identified in Section A of\n                    this form is authoried , under the provisions of P. L. 99- 660, as\n                    amended, as specified in 42 CFR Part 60, to request and\n                    receive information from the Data Ban. I further certify that\n                    the information provided on this form is true and complete\n                    and that the requesting entity identified in Section A of tlrs\n                    form has authoried me to request this inormation.\n\nThe certification is foIIowed by a \' \'warning \'\' that " Any person who knowing makes a\nfalse statement or misrepresentation to the Data Bank is subject to a fine and\n imprisonment \'mnei\' Feckral tatute.\n\x0cThe form entitled " Response To Inormation Disclosure Request" does not mention\nthe confidentiality requirements of the law. Tls form of course, is used to transmit\nData Bank information to both authoried agents and health care entities.\n\x0c                    RECOMMENDATIONS\nIn order to strengthen controls over the use of authoried agents , the PHS should\nconsider requirng such agents to meet certain conditions. We have the following\nsuggestions:\n\n    If the agent is incorporated, licensed or otherwse legaIIy permtted by a State to\n    do business ,require that the health care entity determine whether any complaints\n    or lawsuits have been fied or if any investigations or sanctions have been\n    instituted against the prospective agent.\n\n2. The proposed  agent must possess adequate, i. e. secure , storage facilties and\n    have procedures in place to insure meeting confdentiality practices (e.g.\n    background checks on employees).\n\n3. There should   be a certifcation from the health cae entity that it has supplied\n    the authorized agent with a copy of the regulation and guidelines relating the\n    disclosure of Data Bank information.\n\nAs an added protection to the confdentiality of DatI; Ban inormation , we\nrecommend that the form currently used by the Data Bank for responding to queries\nbe modified to include language describing the confidentiality requirement and the\npenalty provision for violating the requirement. Also, PHS may wish to add a\nstatement to the Data Bank query form (OMB # 0915-0126) indicating that the\nauthorized agent and entity understand that the inormation must be used solely with\nrespect to the purpose it is being provided , and for each violation of confdentiality,\na civi money penalty of up to $IO, OOO can be levied.\n\nPHS Resoonse\n\nThe PHS concurred with most of our recommendations. According to PHS , the next\ntime the Guidebook is revised, it wiII require that health care entities assure, in their\nagreements with authorized agents, that there be physical, technical and\nadministrative safeguards to assure the confidential and safe treatment of information\nreceived in behalf of entities. The Guidebook wiII also   be revised to require that the\nregistration letter from a health care entity to the Data Bank include a statement\nthat the health care entity has supplied the agent with a copy of the regulation and\nguidelines relating to the disclosure of Data Bank information. In addition , during\nthe next revision of the form " Request for Information Disclosure " PHS wiII include\na statement concerning confidentiality and the penalty for disclosing information in\nviolation of the law.\n\x0cThe PHS response to another recommendation is not clear. We recommended that\nas an added protection to the confidentiality of Data Bank information , the form\ncurrently used for responding to queries be modified to include language describing\nthe confidentiality requirement. The second paragraph of the PHS transmittal\nmemorandum suggests agreement with the recommendation. However, the third\nparagraph of the transmittal memorandum outlies the PHS corrective action on\nthose recommendations to which they have concurred; yet no specifc corrective\naction is mentioned for the form used to respond to queries. Furthermore, on page\n3 (three) of the PHS detailed response to our recommendations , PHS indicates that\nthey have " already covered the handlig of information when it is disclosed. Each\nresponse.. .includes a cover sheet notifyng the recipient that the information is\nconfidential and warning of penalties.\n\nIf PHS is disagreeing with our recommendation, we wish to point out that a cover\nsheet can be easily separated from the response form and that if the statements are\nprinted on the response form itself, then anyone who receives a copy of the response\nform wiII be on notice that the inormation is confdential and may not be used for\nnon-Data Bank purposes.\n\nFinaIIy, PHS disagreed with our earlier recommendation that if an authoried agent\nwas a company or organiztion, it should be incorporated, licensed or otherwse\nlegaIIy permitted by a State to do business. We agree with PHS that licensure\nincorporation or other approval ,   per se, would not assure that the agent is reputable.\nHowever, what licensure, etc. might do is provide an additional source of information\nfor checking up on a particular business , i.e. have any complaints been fied or any\ninvestigations been conducted and how have they been resolved. Therefore , we\nsuggest that PHS should consider revising the Handbook guidelies to indicate that if\na prospective agent is licensed , etc. the health care entity determine if any\ncomplaints or lawsuits have been filed or if any investigations or sanctions have been\ninstituted. We have modified our recommendation accordingly.\n\nA copy of the PHS response is attached as Appendix A\n\x0c                                             ().\n\n\n\n\n                                APPENDIX A\n                                                                      .n -\n           MA 2 9 1991\neale\n\nFrom      Assistant Secretary for Health\n                                                       (OIG) Management\n          PRS Comments on Office of Inspector General Bank - Use of\nSub,eC1   Advisory Report " National Practitioner Data\n          Authorized Agents ,     OEI-12-90-00530\n          Inspector General, OS\n\n\n          Attached are the PHS comments on the subject OIG management\n          advisory report.\n          We concur with the report s recommendations that in order to\n          strengthen controls over the use of authorized agents,\n                                                           (1) thePRS should\n                                                                   agent\n          require them to meet the following conditions:\n          must possess adequate and secure storage facilities and have\n          procedures in place to meet confidentiality practices, (2) there\n                                                                       it, has\n          should be a certification from the health care entity that and\n          supplied the authorized agent with a copy of the regulation \'\n            ide1i es relating to the disclosure of Data Bank information,\n          and (3) that the Data Bank form for responding to queries be\n          modified to include language describlng the confidentiality\n          requirement and the penalty for viulating the requirement.\n                                                                     s Guide\n          We will update the\n                              National Practitioner Data Bank User\n           to provide additional guidance and direction in the selection and\n                                        (2)  above.  Regarding the entities,\n           monitoring of authorized agents engaged by health care   third\n           as recommended under (1) and\n           recommendation cited above, during the\n                                               , wenext\n                                                    willrevision\n                                                         include of  the form\n                                                                 a statement\n           Request for Information Disclosures\n           concerning confidentiality and the penalty for disclosing\n           information in violation of the law.\n\n           We disagree with the recommendation that an agent must be\n                                                \' alreadypermitted\n           incorporated, licensed or otherwise legally             by a the\n                                                           require that  State\n           to do business. Existing procedures                            ble.\n           agents must be identifiable, locatable. accountable, and suaents\n           We believe these goals are served  by the current arrange\n                                           of agents.\n           which require the registratio\n\n                                                   Iv\n\n                                    mes O. Mason        D., Dr.\n\n\n\n\n                                            A.\n\x0c                             PUBLIC HEATH SERVICE PHS COMMENTS ON\n                     OFFICE OF INSPECTOR GENERA OIG MAAGEMNT\n                  ADVISORY REPORT " NATIONAL PRACTITIONER DATA    BA -\n                              USE OF AUTORIZED AGENTS"\n                                       (OEI- 12- 90- 00530)\n\nGeneral Comments\nWhile our overall concerns regarding confidentiality are covered\nin the existing    National Practitioner Data Bank User s Guide\n(Guidebook)    the Public Health Service agrees that a health care\nenti ty \' s election to use an authorized agent raises particular\nconcerns.     Accordingly, we intend to address these issues in\nsubsequent editions of the    Guidebook to provide additional\nguidance and direction in the selection and monitoring of\nauthorized agents engaged by health care entities.\nOIG Recommendation\n            In order to strengthen controls over the use of authorized\n            agents, the Public Health Service should consider requiring\n            such agents to meet certain conditions. We have the\n             following suggestions.\n             If a company or organization, the agent must be\n             incorporated, licensed or otherwise legally permtted           by a\n            State to do business.\n\nPHS Comment\nIt is difficult to see what additional measure of protection will\nbe provided by such a requirement. We appreciate the point of\nthe recommendation: the agents must be identifiable, locatable,\naccountable, a d, indeed, suable. As a matter of fact, we\nbelieve that these goals are served by the present arrangements.\nExisting procedures require the registration of agents. Any\nquerying entity using an agent must advise the Data Bank of the\ncomplete name, address, and telephone                   numr of the\n                                                    agent. The\nagents are formally accountable to the institutions that engage\nthem, and are clearly identified to the Data Bank. The technical\nstatus of incorporation or licensure would seem to add little in\nthe way of accountability. Such requirements as those suggested\nwould not assure that the agent is " reputable.\n\nOIG Recommendation\n             The proposed agent must possess adequate, i. e.,         secure,\n             storage facilities and have procedures in place to insure\n             meeting confidentiality practices (e. g., background checks\n             on employees).\n\x0cPHS Comment\nWe agree that agents should possess such facilities and have\nother procedures in place to insure their meeting confidentiality\npractices. While we believe it is not necessary to impose these\nrequirements formally by regulation, we will include in our next\nedition of the Guidebook technical guidance for those entities\nexecuting agreements with agents.\nSpecifically, we will recommend that the entities require, in\ntheir agreements with agents, that there be physical, technical\n nd administrative safeguards to assure the confidential and safe\ntreatment of information received on behalf of the entities.\nwill also recommend that these agreements (1) explicitly prohibit\nthe agent from using the information obtained in Data Bank trans-\nactions for any other purpose, (2) require that this information\nbe segregated from the agent\' s other information, and (3) permt\nimmediate revocation of the agreement for non-compliance with\nthese conf identiali ty provisions.\nOIG Recommendation\n             There should be a certification from the health care\n             entity that it has supplied the authorized agent with a\n             copy of the regulation and guidelines relating to the\n             disclosure of Data Bank information.\n\nPHS Comment\n\n     en we revise our                       Guidebook we will add instructions for\nregistering an agent with the Data Bank. We  will include a\nrequirement that the registration letter from a health care\nentity to the Data Bank include a statement that the health care\nentity has supplied the agent with a copy of the regulation and\nguidelines relating to the disclosure of Data Bank informtion.\nWe expect to complete the revision of the                          Guidebook\nMarch 1992.\n OIG Recommendation\n             As an added protection to the confidentiality of Data Bank\n             information, we recommend that the form currently used by\n             the Data Bank for responding to queries be modified to\n             include language describing the confidentiality requirement\n             and the penalty provision for violating the requirement.\n             Also, you may wish to add a statement to the Data Bank query\n             form indicating that the authorized agent and entity\n             understand that the information must be used solely with\n             respect to the purpose it is being provided, and for each\n             violation of confidentiality, a civil money penalty of up to\n                 $10, 000 can be levied.\n\x0cPHS Comment\nThis is effectively being done, although the relevant material is\nnot actually printed on the forms.\nThe instructions which must be used in completing the Request for\nInformation Disclosure form c1ea ly address the issue of\nconfidentiality and describe the penalty for disclosing\ninformation in violation of the law. When we next revise the\n\nin this regard.\nform, we will include an explicit statement on the form regarding\n his, although there are form size constraints that may limit us\n\nMore importantly, we have already covered the handling Bank of\ninformation when it is disclosed. Each response by the Data\nto a request for informtion includes a cover sheet notifying the\nrecipient that the informtion is confidential and warning of\npenal ties to be imposed.\n\nWe believe these notices effectively serve the   purose intended\nby the recommended actions.\n\x0c'